Researchers at Microsoft discovered a number of vulnerabilities in the systemd unit known as networkd-dispatcher (CVE-2022-29799, CVE-2022-29800) that they collectively refer to as ‘nimbuspwn’. The two vulnerabilities consist of a directory traversal, and time-of-check-time-of-use (TOCTUO) race condition. The networkd-dispatcher unit is used to propagate network status changes so that various other system components can react accordingly. These communications are performed by the Desktop-Bus, commonly referred to as ‘D-Bus’. D-Bus is a software-bus that allows processes on a host to communicate with each other by sending messages across the bus.
D-Bus components have unique names that they are identified by in the D-Bus channel. This is the basis for how a threat actor would be able to communicate with networkd-dispatcher, exploiting the flow in which networkd-dispatcher takes in messages from the channel and acts on them. There are two different types of bus that D-Bus deploys, a Session Bus and a System Bus. The System Bus is typically more desirable for a threat actor as this is where most root level processes communicate. A desirable D-Bus component name would be “org.freedesktop.network1”. Networkd-dispatcher, which runs as root on the System Bus, listens for messages from this unique network related D-Bus component. Through the two vulnerabilities in the process flow for networkd-dispatcher it becomes possible to have networkd-dispatcher execute a payload as root on behalf of the “org.freedesktop.network1” D-Bus component allowing for any number of malicious actions to be performed.